CTE Licensing Model
CipherTrust Transparent Encryption (CTE) supports the CTE base, CTE for Kubernetes, and LDT add-on licenses.
CTE base: Standalone license to use the CTE solution. This license is required to use add-on LDT licenses. CTE SAP HANA, Teradata, and Efficient Storage are available as part of the CTE base license.
Note
CTE base is required to register CTE (rebranded VTE-Vormetric Transparent Encryption) clients with the CipherTrust Manager. This is distinct from CTE UserSpace, which is the rebranded ProtectFile FUSE.
CTE for Kubernetes: Standalone license to use the CTE for Kubernetes feature. This is the equivalent of the Container Security feature from Vormetric Transparent Encryption. Every node of a Kubernetes cluster consumes one CTE - KubernetesProtection license. The license applies to the worker nodes where Container Storage Interface (CSI) is attached to the application pod.
Thales CipherTrust Manager Community Edition includes CTE for Kubernetes. Refer to Thales CipherTrust Manager Community Edition for details.
Live Data Transformation (LDT) add-on: Add-on license to use the LDT feature. Add-on licenses require a CTE base license activated on the CipherTrust Manager.
These licenses are offered through the following licensing models:
Refer to Activating CTE Licenses for instructions on how to activate CTE licenses.
Trialware
Provides the fully-functional CTE solution for 90 days with pre-installed trial license. After the trial period expires, CTE configurations on the CipherTrust Manager become read-only. Only decryption of GuardPoints and GuardPolicies is allowed; LDT-enabled registration is not allowed.
This is the default license shipped with the CipherTrust Manager.
Note
After upgrading the CipherTrust Manager from a supported version, to activate the trial licenses, run the command: ksctl licensing trials activate --id "CipherTrust Manager Full Trial"
Time-limited Rental
Provides the fully-functional CTE solution for a prepaid charge for a specific period of time, for a specific number of clients.
This license comes with a grace period of 90 days. After the license period expires, the grace period starts. During the grace period, CTE continues working normally. However, after the grace period is over, CTE configurations on the CipherTrust Manager become read-only. Only decryption of GuardPoints and GuardPolicies is allowed; LDT-enabled registration is not allowed.
The CipherTrust Manager GUI starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires.
The number of clients that can be registered with the CipherTrust Manager is limited by the number of licenses purchased.
Note
For example, if a 1-year license is purchased for 1000 clients, then only 1000 clients can be registered with the CipherTrust Manager.
Perpetual Licensing Model
Provides the fully-functional CTE solution for a prepaid charge with no time limit, for a specific number of clients.
Note
The number of clients that can be registered with the CipherTrust Manager is limited by the number of licenses purchased.
For example, if a perpetual license is purchased for 1000 clients, then only 1000 clients can be registered with the CipherTrust Manager.
A CipherTrust Manager appliance administrator can install the CTE license.
Add-on Licenses
CTE offers the Live Data Transformation (LDT) feature as an add-on license. To use the LDT feature, you need a CTE base license activated on the CipherTrust Manager.
Thales CipherTrust Manager Community Edition
Thales CipherTrust Manager Community Edition includes CTE for Kubernetes. If your CTE for Kubernetes license is unavailable or has expired, license enforcement switches to the Community Edition.
License-based restrictions apply to the number of CSI nodes registered with the CipherTrust Manager, not on the number of CTE clients.
All operations are allowed on the CSI resources. No restrictions apply.
A maximum of three Kubernetes nodes can be registered with the CipherTrust Manager. Attempts to register more nodes will be rejected.
Activating CTE Licenses
Activating a CTE license requires a license string for the CipherTrust Manager with which the clients will be registered. This string is generated when a license is activated on the Sentinel EMS License Portal.
Refer to Activating a Connector License for details.
After the CTE base license is activated, it state becomes Active on the Features tab of the Licensing page of the CipherTrust Manager GUI. The license is displayed with the feature name CTE - TransparentEncryption. CTE SAP HANA, Teradata, and Efficient Storage are available as part of the CTE base license.
After the base CTE license is installed, LDT and CSI add-on licenses can be activated and installed. The steps to install the add-on licenses are the same as installing a connector license. Refer to Activating a Connector License for details. The installed LDT and CSI licenses are displayed with the feature names CTE - LiveDataTransformation and CTE - KubernetesProtection.
Note
When a client is unregistered (unenrolled), the number of Used Clients on the Licensing page remains the same. To update the clients usage, the unregistered client must be deleted from the CipherTrust Manager. After the client is deleted, the license is released and can be used to register another client.
License Enforcement
Expected behavior with CTE and CTE LDT is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When Connector licenses are activated and uploaded to a CipherTrust Manager, you can register clients to the license capacity. The number of clients that you can register cannot exceed the Connector license count.
Reaching license capacity: If you attempt to register additional clients, registration fails because the license count has been exhausted. In this case, users can delete currently configured clients or buy additional licenses to register new clients.
If you have many existing clients, and later apply a new license which allows for fewer client registrations, a warning is displayed and a system banner appears across all pages. This banner persists as long the number of Used Clients under Client Usage exceeds the number of Total Clients. No clients are deleted, but you cannot register more clients.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new client registration is allowed. However, the users can still manage currently registered clients for 90 days from the license expiry. After 90 days, changes on currently registered clients are restricted and only decryption of data is allowed.